141. Attacks on Specialized Systems (OBJ 3.5)
In this section of the course, we’re going to discuss the different types of attacks that can be conducted against specialized systems. Such as the internet of things devices, embedded systems, ICS and SCADA devices, data storage systems, virtual machines, hypervisors, and containerized services. The internet of things is constantly expanding, and this has led to the deployment of more and more network connected devices across the globe. These devices though are inherently insecure and vulnerable to attack. In many of your engagements, you’re going to find that an easy way to break into a network is to exploit some kind of internet of things device like a smart TV, a thermostat, wireless security camera systems, or even a network connected refrigerator.
If the target organization is involved in manufacturing, then you may also be expected to perform an assessment of their operational technology network too. This is in addition to their information technology network that consists of all their normal servers and desktops and laptops. This means you’re going to be looking at industrial control systems, SCADA networks, and embedded systems, in addition to all the traditional IT equipment.
Now on the other hand, if you’re assessing a more modern organization, you may find yourself looking at the underlying infrastructure that supports their cloud servers. This can be virtual machines, data storage devices, and possibly even containers. So as we continue to move through our coverage of domain three, attacks and exploits, we’re going to be looking at the second half of objective 3.5, which focuses on specialized systems.
This objective states that you must explain common attacks and vulnerabilities against specialized systems. Now notice again, this objective is focused only on your ability to explain these systems and their vulnerabilities. Not your ability to actually perform an attack against them. Now as we move through this section of the course, we’re going to begin by discussing the internet of things, and the underlying communication protocols that they rely on. Then we’re going to move into some more specific vulnerabilities that we can use to exploit those IOT devices. After that, we’re going to cover the different types of embedded systems and the technologies that utilize them. Then we’re going to move into our coverage of ICS and SCADA devices, their specific protocols, and their vulnerabilities.
Next, we’ll discuss the vulnerabilities that affect data storage systems like direct attached storage, network attached storage, and storage area networks. After that, we’re going to move into our coverage of virtualization, hypervisors, and virtual machines along with the vulnerabilities and attacks that affect them. Finally, we’re going to discuss containerization technologies, and the vulnerabilities that can be exploited when your target organization heavily uses containerization for their compute workloads. All right, it’s time to continue our coverage of domain three, attacks and exploits, with attacks on specialized systems in this section of the course.
142. Internet of Things (IoT) Devices (OBJ 3.5)
What is the internet of things? Well, it’s pretty much everything. If your refrigerator has a wireless connection in it, it’s part of the internet of things. For example, there are some refrigerators out there right now that have the ability of connecting to the internet and using things like Alexa to be able to add things or take things away from your shopping list. In my house, we have a Nest thermostat which is part of the internet of things. I have smart TVs that access the internet and let me watch YouTube and Netflix and this is all part of the internet of things as well. Your lights, security cameras and cars can also be considered as a part of the internet of things. You see, all these things, wherever they are they all seem to be online and connected these days and this is where the internet of things comes in. Pretty much anything that can connect to the internet could be considered a part of the internet of things.
So when we define the internet of things or IoT we’re really just talking about a group of objects and they can be electronic or not, which are all connected to the wider internet by using embedded electronic components. This is how the internet of things will be properly defined. So if you think about your home, you might have a smart home that has a smart door lock on the front door. Now you might also have a camera sitting there so you can see people as they come up to your door, and if they press the button on your doorbell you can actually ring that on your smartphone so you’ll be able to see who’s at your door before you get up from the couch. You can even have a smart air conditioner that keeps track of the temperatures in the rooms and it can also be set up so you can change it from anywhere in the world because it’s also internet connected.
Or you might have a lighting system where you can control if they’re going to be white or red or blue lights because they’re connected to the internet as well. You can utilize energy management or appliance control all from your smartphone or you might have a smart device like a smart TV or a smart speaker. All these things are able to be connected inside of your home or your office and they give you a lot of great capability. But the biggest problem with all of these things is that they’re not always safe or secure and security is usually considered an afterthought in comparison to convenience inside of these IoT devices.
To best understand the vulnerabilities associated with IoT devices, we first have to look at the different networking technologies and protocols that are used by these IoT devices to communicate with each other, with their base stations and the internet at large. These protocols include things like Wi-Fi, Bluetooth RFID, near field communication, infrared, Zwave and ANT+. Now the first one is Wi-Fi, also known as wireless networking or 802.11. Wi-Fi can be operated in either infrastructure mode or ad hoc mode to create a local area network or a personal area network when you’re using IoT devices. For example, if you have a smart speaker, refrigerator or thermostat, those IoT devices can use Wi-Fi to connect to your local area network and then back to the outside internet as well. The second technology we need to talk about is Bluetooth. Bluetooth is a relatively short range wireless networking technology that can be used by IoT devices. Bluetooth also comes in a low energy variant making it very popular for smaller IoT devices. For example, there are Bluetooth enabled key chain fobs that can be used to connect to your smartphone so you can determine exactly where your keys are if you lose them.
These embedded tracking tags use Bluetooth low energy or BLE. This makes them small portable devices that can last a really long time on a minimal battery charge, by using this BLE technology variant. Bluetooth devices can also become part of a mesh network where your key chain fob with Bluetooth connects to your smartphone, and then your smartphone can connect to cellular or Wi-Fi over to the internet so the location of those keys can be easily tracked. The next wireless technology we need to talk about is RFID. RFID or radio frequency ID is often used to interconnect badges and card keys to the network. For example, if you have ever gone to a hotel room and used a tap to open card for the hotel’s door lock, this is based on RFID technology because the key card has an RFID chip embedded into that plastic card. As that card is placed next to the door lock, it uses an electromagnetic field to read the embedded chip or tag in that key and it lets you unlock the door.
This door lock can then report the open or closed status back to a central server using its own network connection too. The next IoT technology we need to talk about is NFC or near field communication. NFC enables two electronic devices to communicate when they come within about four centimeters of each other. NFC is a commonly used system inside of tap to pay systems like Apple pay, Google pay or Samsung pay. When you place your smartphone near the reader, the payment information is going to be transferred from the phone to the payment terminal using near field communication. Another wireless technology used in IoT devices is known as infrared or IR.
Infrared is used for devices that need to communicate using a line of sight communication using light beams inside of the infrared spectrum. For example, a typical television remote is going to use infrared technology. Infrared is considered an older technology and it only covers a limited distance and it’s only going to be used when you need a relatively low bandwidth solution. Now, there are two newer technologies used in IoT automation devices as well and these are known as Zwave and ANT+. Zwave is a short range low latency data transfer technology that uses less power and has lower data rates than Wi-Fi.
Since Wi-Fi uses so much power to transmit and receive its signals, it’s not a great choice for home automation applications. Instead, Zwave can use lower amounts of power and allow the internet of things devices to last a lot longer on a given charge of their battery. The trade off here is that you’re getting lower power consumption but you’re also getting lower bandwidth. This allows you to use the device for a longer period of time though, making it a good option. For example, if you have a digital keypad connected wirelessly to your home security system, it often is going to use Zwave technology because it doesn’t require a high amount of bandwidth to send that simple four or eight digit pin over to the security systems base station.
When you hear the term Zwave, I want you to associate it with home automation. Things like turning on your lights, turning music on or off and that kind of thing, all of these use Zwave. Now, another newer technology that you might use in IoT devices is known as ANT+ or A-N-T plus. ANT+ is a technology used for the collection of sensor data from different IoT devices. For example, if your car has an integrated tire pressure system in it, it might be using ANT+ to send that data to your display console.
ANT+ is also used for other types of sensors, such as determining if a light is on or off, whether moisture is detected in the basement walls or the temperature in a particular room. Anything with a sensor in it is usually going to rely on ANT+ because it’s a low powered and low bandwidth communication solution. Now, as you consider the different IoT devices and their communication, remember that communication can occur as either machine to machine communication or machine to person. Machine to machine or M2M is going to involve communication between the IOT device and some other traditional system like a server or a gateway. Machine to person or M2P is going to involve communication between an IoT device and the end user.
For example, at my office we have an IoT sensor that’s connected to our power line. If that sensor detects a drop in voltage on the power line that supplies electricity to the office, it’s going to send a signal over to a diesel generator that’s out back and it’s going to turn it on and take over responsibility for providing power to the building. This is an example of machine to machine communication as being combined with some business logic to take the actions when needed. On the other hand, when I ask the smart speaker to turn on the lights in my studio I simply say, “Alexa, turn on studio lights” and the device responds by turning on the lights and then sending a machine to person communication in response by saying, “Okay, I’ve turned on the studio lights.” It’s important to understand both of these types of communication because both are places that you can exploit vulnerabilities as a penetration tester.
143. Internet of Things (IoT) Vulnerabilities (OBJ 3.5)
In this lesson, we’re going to discuss the different types of Internet of Things, or IoT vulnerabilities that you can target as an attacker. As a cybersecurity professional, having all of these different devices connecting to our networks can be a little frightening, right? One of the ongoing jokes in the cybersecurity community is that security is what the S stands for in Internet of Things. Now, notice there is no S in IoT, right? That means there’s no security at all in IoT, and that’s the joke, anyway. From a technology and convenience standpoint, these IoT devices are really cool and they let us do all sorts of really neat things with them. I can pull out my smartphone from anywhere in the world and turn on the lights in my house, or I can turn up or turn down the temperature, or I can activate my alarm system all by using IoT devices. While all of these are really cool technologies and features, you also have to think about the security of these devices as they’re being connected to your organization’s network and how you might keep the rest of your systems on the network safe and secure. If these devices aren’t well secured, then they can be prime targets for attacks to use as an entry point into the corporate network, and then we can use those as a foothold or pivot point into other more interesting targets for further exploitation.
Now, most IoT devices are manufactured for convenience rather than security, like I said. Now, one of the big goals in manufacturing these devices is to keep them very affordable. For this reason, most IoT devices are going to use an embedded version of Linux or Android as their operating system so they don’t have to pay for an expensive operating system. But because they have Linux or Android as their operating system, this means they’re vulnerable to the same types of attacks as other Linux servers or Android smartphones.
For example, if there’s a Linux vulnerability out there for the version of Linux used on a smart device, that means that smart device, like a smart TV or smart speaker, is also vulnerable to that same attack. Also, because of cost considerations, many manufacturers are using outdated or insecure hardware components, and this represents another vulnerability that could be attacked by a penetration tester. Each smart device is going to have firmware that’s loaded with the operating system and the drivers to support its hardware components.
This firmware can easily become out of date if it’s not routinely scanned and patched for vulnerabilities as well. It’s also common that vendors, especially for vendors of inexpensive IoT devices, to simply ignore security and not release updated versions of their firmware when new vulnerabilities are discovered. Even if the vendor does provide updates, it’s very common that users and administrators don’t update the software on their IoT devices. This can lead to them running a version of Linux that’s five years old because it had a smaller code base and was free for the manufacturer to install on their device’s firmware.
But it never got updated, and therefore, it becomes a huge vulnerability. Now, as a penetration tester, you can often find a very vulnerable IoT device on a target’s network, exploit it by attacking its outdated components, firmware, or vulnerable operating systems, and then use that as a foothold or pivot point into the larger network.
For example, if the organization has a smart TV in the conference room, that could be an attack vector for us to get into their network. To prevent this, organizations need to properly install, secure, and segment their IoT devices into their own subnet, VLAN, or network outside of the normal IT production network. Some common vulnerabilities you’re going to find in IoT devices involve insecure defaults, hard-coded configurations, clear text communication, and data leakage. Insecure defaults are commonly used in IoT devices.
These defaults may include things like administrative login credentials that are set to something like username:admin, password:admin, or not having a password set at all. Other vulnerable defaults involve the number of ports open on a given IoT device, whether the device allows anyone to connect to it without authorization, and the device’s firewall being completely turned off by default.
As a penetration tester, if you can determine the model number of an IoT device, you can then reference its manual and determine what vulnerable default may be set by that device without too much difficulty. Hard-coded configurations are another big vulnerability. Hard-coded configurations may include the ability for a device to self-register itself with its manufacturer upon connecting to your network. This might include sending out a username and password in plain text inside of its configuration file or having other settings that are unchangeable in the device because they’re imprinted into the device’s firmware and its settings. Clear text communication is another issue with most IoT devices.
Because these devices are designed to be cheap and inexpensive, often, their hardware can’t support encrypting their communications because this would require more expensive hardware. To ease the resource requirements, these devices simply send their data in plain text or clear text which can then be intercepted by an attacker and read. This can lead to the problem of data leakage as well. Because these IoT devices send their data in clear text, if sensitive data is leaked by that device, an attacker can easily read and understand what’s being transmitted.
Since most IoT devices support Bluetooth, it’s really common for an attacker to monitor the Bluetooth frequencies being transmitted and conduct eavesdropping of those frequencies. Any data capture can then be easily read to determine the device’s model number, software version, and other details. In addition to this, attackers can monitor automation activities in a smart home or smart office, gather email addresses or phone numbers as they’re being transmitted, and even eavesdrop on virtual assistant voice commands that are being issued by employees.
As an attacker, though, you do need to get fairly close to these devices to capture their Bluetooth communications, because Bluetooth devices communicate over a short range of usually less than 10 to 30 meters. Now, a common attack against Bluetooth low energy IoT devices is to cause an availability attack by denying the device the ability to sleep. Since these Bluetooth low energy devices tend to have small battery reserves, they’re programed to sleep whenever they’re not in use. This helps them conserve their battery life.
But if you can continually send signals to these devices, the device is then unable to sleep and it’s going to start draining its battery very quickly. If the battery becomes drained, that device can be forced offline, which can be a very useful thing if you’re attacking a wireless security camera system as a precursor to a physical security penetration test. These devices can also be attacked and have their data compromised either by modifying the data they’re reporting or simply by mirroring a copy of that data over to an attacker’s collection device as a form of data exfiltration. In general, IoT devices tend to be very fragile systems. If you run different exploits against them, you can either be successful in gaining root control over the device or you may simply knock over that device by crashing applications that are running on its embedded operating system.
When you’re penetration testing IoT devices, you need to be careful in which exploits you’re going to be using because you’re can inadvertently cause the device to go offline, crash, or malfunction. If the IoT devices you’re testing are part of the Industrial Internet of Things, or IIoT, these devices could be attached to some rather large or dangerous machinery, and this can cause damage to expensive components or even injury to personnel. Therefore, you should always ensure your scope of your engagement specifically includes or excludes these type of Industrial Internet of Things devices based on your engagement’s goal and your team’s skill level. In summary, when it comes to normal Internet of Things devices, remember, these systems tend to be pretty vulnerable and they’re a great target for your attacks during a penetration testing engagement.